b'     Department of Homeland Security\n\n     2I\xc3\x80FH\x03RI\x03,QVSHFWRU\x03*HQHUDO\n\n\n Information Technology Management Letter for the \n\nFY 2013 United States Customs and Border Protection \n\n             Financial Statement Audit \n\n\n\n\n\nOIG-14-96                                   May 2014\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\x03\n                                      May\x0328,\x032014\x03\n\x03\n\x03\nMEMORANDUM\x03FOR:\x03\x03            Charles\x03Armstrong\x03\n                             Chief\x03Information\x03Officer\x03\n                             U.S.\x03Customs\x03and\x03Border\x03Protection\x03\n\x03\n                             Deborah\x03Schilling\x03\n                             Chief\x03Financial\x03Officer\x03\n                             U.S.\x03Customs\x03and\x03Border\x03Protection\x03\n\x03\nFROM:\x03\t                      Richard\x03Harsche\x03\n                             Acting\x03Assistant\x03Inspector\x03General\x03\n                             Office\x03of\x03Information\x03Technology\x03Audits\x03\n\x03\nSUBJECT:\x03\t                   Information\x03Technology\x03Management\x03Letter\x03for\x03the\x03FY\x03\n                             2013\x03United\x03States\x03Customs\x03and\x03Border\x03Protection\x03\n                             Financial\x03Statement\x03Audit\x03\n\x03\nAttached\x03for\x03your\x03information\x03is\x03our\x03final\x03report,\x03Information\x03Technology\x03Management\x03\nLetter\x03for\x03the\x03FY\x032013\x03United\x03States\x03Customs\x03and\x03Border\x03Protection\x03Financial\x03Statement\x03\nAudit.\x03This\x03report\x03contains\x03comments\x03and\x03recommendations\x03related\x03to\x03information\x03\ntechnology\x03internal\x03control\x03deficiencies\x03that\x03were\x03not\x03required\x03to\x03be\x03reported\x03in\x03the\x03\nIndependent\x03Auditors\xe2\x80\x99\x03Report.\x03\x03\n\x03\nWe\x03contracted\x03with\x03the\x03independent\x03public\x03accounting\x03firm\x03KPMG\x03LLP\x03(KPMG)\x03to\x03\nconduct\x03the\x03audit\x03of\x03Department\x03of\x03Homeland\x03Security\x03fiscal\x03year\x032013\x03consolidated\x03\nfinancial\x03statements.\x03The\x03contract\x03required\x03that\x03KPMG\x03perform\x03its\x03audit\x03according\x03to\x03\ngenerally\x03accepted\x03government\x03auditing\x03standards\x03and\x03guidance\x03from\x03the\x03Office\x03of\x03\nManagement\x03and\x03Budget\x03and\x03the\x03Government\x03Accountability\x03Office.\x03KPMG\x03is\x03\nresponsible\x03for\x03the\x03attached\x03management\x03letter\x03dated\x03March\x0319,\x032014,\x03and\x03the\x03\nconclusion\x03expressed\x03in\x03it.\x03\n\x03\nPlease\x03call\x03me\x03with\x03any\x03questions,\x03or\x03your\x03staff\x03may\x03contact\x03Sharon\x03Huiswoud,\x03Director,\x03\nInformation\x03Systems\x03Audit\x03Division,\x03at\x03(202)\x03254\xcd\xb25451.\x03\n\x03\nAttachment\x03\n\x03\n\x03\n\x03\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 19, 2014\n\nOffice of Inspector General, \n\nChief Information Officer and Chief Financial Officer,\n\nU.S. Department of Homeland Security\n\nChief Information Officer and Chief Financial Officer,\nU.S. Customs and Border Protection\n\nLadies and Gentlemen:\n\nIn planning and performing our audit of the consolidated balance sheets of the U.S. Customs and\nBorder Protection (CBP), a component of the U.S. Department of Homeland Security (DHS), and the\nrelated consolidated statements of net cost, changes in net position, and custodial activity, and the\ncombined statements of budgetary resources as of and for the years ended September 30, 2013 and\n2012 (hereinafter, referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d), in accordance with auditing\nstandards generally accepted in the United States of America, we considered CBP\xe2\x80\x99s internal control\nover financial reporting (internal control) as a basis for designing audit procedures that are appropriate\nin the circumstances for the purpose of expressing our opinion on the consolidated financial statements,\nbut not for the purpose of expressing an opinion on the effectiveness of CBP\xe2\x80\x99s internal control. We\nlimited our internal control testing to those controls necessary to achieve the objectives described in\nGovernment Auditing Standards and the Office of Management and Budget (OMB) Bulletin No. 14-\n02, Audit Requirements for Federal Financial Statements. We did not test all internal controls relevant\nto operating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982.\nAccordingly, we do not express an opinion on the effectiveness of CBP\xe2\x80\x99s internal control.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated January\n30, 2014, included internal control deficiencies identified during our audit that represented a significant\ndeficiency in information technology (IT) controls at CBP. This letter represents the separate limited\ndistribution report mentioned in that report.\n\nDuring our audit we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management and communicated through Notices of\nFindings and Recommendations (NFRs), are intended to improve internal control or result in other\noperating efficiencies and are summarized as described below.\n\nWith respect to CBP\xe2\x80\x99s financial systems\xe2\x80\x99 IT controls, we noted certain matters in the areas of security\nmanagement, access controls, configuration management, contingency planning, and IT application\ncontrols. These matters are described in the General IT Control Findings and Recommendations and IT\nApplication Controls sections of this letter.\n\nThe Table of Contents identifies each section of the letter. We have provided a description of key CBP\nfinancial systems and IT infrastructure within the scope of the FY 2013 CBP consolidated financial\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cstatement audit engagement in Appendix A, and a list of each IT NFR communicated to management\nduring our audit in Appendix B.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the financial\nstatements, and therefore may not bring to light all deficiencies in policies or procedures that may exist.\nWe aim, however, to use our knowledge of CBP\xe2\x80\x99s organization gained during our work to make\ncomments and suggestions that we hope will be useful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any\nother purpose.\n\nVery truly yours,\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n\n                                    Customs and Border Protection\n\n                                         September 30, 2013\n\n\n                                     TABLE OF CONTENTS\n\n                                                                                       Page\nObjective, Scope, and Approach                                                          2\n\nSummary of Findings                                                                     4\n\nGeneral IT Control Findings and Recommendations                                         5\n\n   Findings                                                                             5\n\n       Security Management                                                              5\n\n       Access Controls                                                                  5\n\n       Configuration Management                                                         6\n\n       Contingency Planning                                                             6\n\n   Recommendations                                                                      6\n\n       Security Management                                                              6\n\n       Access Controls                                                                  6\n\n       Configuration Management                                                         8\n\n       Contingency Planning                                                             8\n\nIT Application Controls                                                                 8\n\n\n                                          APPENDICES\n\nAppendix                                       Subject                                 Page\n           Description of Key CBP Financial Systems and IT Infrastructure within the     9\n   A\n           Scope of the FY 2013 CBP Financial Statement Audit\n\n   B       FY 2013 IT Notices of Findings and Recommendations at CBP                    12\n\n\n\n\n\n                                                 1\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n\n                                     Customs and Border Protection\n\n                                          September 30, 2013\n\n\n                               OBJECTIVE, SCOPE, AND APPROACH\n\n\nObjective\n\nWe have audited the consolidated balance sheets of the U.S. Customs and Border Protection (CBP), a\ncomponent of the U.S. Department of Homeland Security (DHS), as of September 30, 2013 and 2012,\nand the related consolidated statements of net cost, changes in net position, and custodial activity, and the\ncombined statements of budgetary resources (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013 consolidated\nfinancial statements\xe2\x80\x9d). In connection with our engagement to audit CBP\xe2\x80\x99s consolidated financial\nstatements, we performed an evaluation of selected general information technology (IT) controls (GITCs)\nand IT application controls at CBP to assist in planning and performing our audit engagement.\n\nScope\n\nThe scope of our GITC and IT application control test work is described in Appendix A, which provides a\ndescription of the key CBP financial systems and IT infrastructure within the scope of the FY 2013 CBP\nconsolidated financial statement audit engagement.\n\nApproach\n\nGeneral Information Technology Controls\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government\nAccountability Office, formed the basis of our GITC evaluation procedures.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control categories to be essential to the effective\noperation of GITCs and the IT environment:\n\nx   Security Management \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n    managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n    of computer-related security controls.\n\n    x   In conjunction with our test work of security management GITCs, limited after-hours physical\n        security testing at select CBP facilities was conducted to identify potential control deficiencies in\n        non-technical aspects of IT security.\n\nx   Access Control \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n    equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\nx   Configuration Management \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n    system resources (software programs and hardware configurations) and provide reasonable assurance\n    that systems are configured and operating securely and as intended.\n\n                                                     2\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n\n                                     Customs and Border Protection\n\n                                          September 30, 2013\n\n\n    x   We performed technical information security testing for key CBP network and system devices.\n        The technical security testing was performed from within select DHS facilities and focused on\n        production devices that directly support CBP\xe2\x80\x99s financial processing and key general support\n        systems.\n\nx   Segregation of Duties \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational structure\n    to manage who can control key aspects of computer-related operations.\n\nx   Contingency Planning \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n    interruption, or with prompt resumption, when unexpected events occur.\n\nIT Application Controls\n\nWe performed testing over selected key IT application controls on financial systems and applications to\nassess the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n                                                     3\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter\n\n                                     Customs and Border Protection\n\n                                          September 30, 2013\n\n\n                                      SUMMARY OF FINDINGS\n\nDuring FY 2013, CBP took corrective action to address certain prior year IT control deficiencies. For\nexample, CBP made improvements over designing and implementing certain configuration management\nand security management controls over CBP information systems, as well as strengthening and improving\ncontrols around physical and logical access (including enforcement of segregation of duties). However,\nduring FY 2013, we continued to identify IT application control deficiencies related to financial system\nfunctionality, and GITC deficiencies related to controls over physical and logical access (including the\ngeneration and review of audit logs), configuration management, and contingency planning, for CBP core\nfinancial and feeder systems and associated General Support System (GSS) environments.\n\nCollectively, the IT control deficiencies limited CBP\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and availability. In\naddition, these deficiencies negatively impacted CBP\xe2\x80\x99s internal controls over financial reporting and its\noperations. We consider certain deficiencies to represent a significant deficiency at CBP under standards\nestablished by the American Institute of Certified Public Accountants.\n\nOf the 29 IT Notices of Findings and Recommendations (NFRs) issued during our FY 2013 testing, 17\nwere repeat findings, either partially or in whole from the prior year, and 12 were new findings. The 29 IT\nNFRs issued represent deficiencies in four of the five FISCAM general IT control categories, as well as in\nthe area of IT application controls.\n\nThe majority of findings resulted from the lack of properly documented, fully designed and implemented,\nadequately detailed, and consistently implemented financial system controls to comply with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and\nNational Institute of Standards and Technology (NIST) guidance. Specifically, the findings stem from:\n\n    1.\t Inadequately designed and ineffective access control policies and procedures relating to the\n        management of logical and physical access to financial applications, databases, and support\n        systems;\n    2.\t Insufficient logging of system events and monitoring of audit logs;\n    3.\t Patch, configuration, and vulnerability management control deficiencies within systems;\n    4.\t Inconsistently implemented backup management controls; and\n    5.\t System functionality limitations preventing adequate implementation of automated preventative\n        or detective controls to support management and implementation of custodial revenue and\n        drawback processes.\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and CBP financial data could be exploited, thereby compromising the integrity of CBP financial\ndata used by management and reported in the consolidated financial statements.\n\nWhile the recommendations made by us should be considered by CBP, it is the ultimate responsibility of\nCBP management to determine the most appropriate method(s) for addressing the deficiencies identified.\n\n\n                                                     4\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n\n                                    Customs and Border Protection\n\n                                         September 30, 2013\n\n\n               GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\n\nFindings\n\nDuring our audit of the FY 2013 CBP consolidated financial statements, we identified the following\nGITC deficiencies. Certain deficiencies, in the aggregate, are considered a significant deficiency at CBP.\nFor our assessment of the deficiencies, see Appendix B.\n\nSecurity Management\n\nx   Separation clearance actions for separated or transferred Federal employees and contractors were not\n    consistently or timely documented or implemented in accordance with DHS and CBP policy.\n\nAfter-Hours Physical Security Testing\n\nOn June 26 and July 22, 2013, we performed after-hours physical security testing to identify risks related\nto non-technical aspects of IT security. These non-technical IT security aspects included physical access\nto printed or electronic media, equipment, or credentials residing within a CBP employee\xe2\x80\x99s or contractor\xe2\x80\x99s\nwork area or shared workspaces which could be used by others to gain unauthorized access to financial\nsystems or other systems containing sensitive information. The testing was performed at various CBP\nlocations in the Washington, DC, metropolitan area and Indianapolis, Indiana that process, maintain,\nand/or have access to financial data.\n\nWe observed 123 instances where passwords, sensitive IT information (such as server names or IP\naddresses), keys, unsecured or unlocked credentials, credit cards, laptops, remote access devices, and\nexternal media, and printed materials marked \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d or containing sensitive Personally\nIdentifiable Information were accessible by individuals without a \xe2\x80\x9cneed to know\xe2\x80\x9d.\n\nAccess Controls\n\nx   Segregation of duties conflicts existed relative to administrator accounts on configuration\n    management utilities used for CBP financial applications, and compensating controls to log and\n    review administrator activity were not consistently implemented.\n\nx   DHS and CBP requirements for password complexity and lifetime were not fully implemented for\n    accounts on the Systems, Applications, and Products (SAP) UNIX server, Automated Commercial\n    Environment (ACE) Advanced Interactive eXecutive (AIX) operating system, and ACE Database 2\n    (DB2).\n\nx   Audit logs, including logs of emergency developer access to the production environment, for\n    components of the SAP and Automated Commercial System (ACS) environments (including the\n    application, database, and operating system/mainframe layers) were not consistently reviewed by\n    management in accordance with DHS and CBP policy, and risk assessments were not performed to\n    identify relevant security events subject to requirements for logging and periodic review.\n\n\n\n                                                    5\n\n\x0c                                  Department of Homeland Security\n                             Information Technology Management Letter\n\n                                   Customs and Border Protection\n\n                                        September 30, 2013\n\n\nx   Developers were granted emergency access functions within the ACS production environment in\n    violation of the principles of least privilege as referenced in NIST. The access granted was not\n    commensurate with job responsibilities.\n\nx   Account management activities on CBP financial systems (including the application, database, and\n    operating system/mainframe layers) and the District of Columbia (DC) Metropolitan (Metro) Local\n    Area Network (LAN), including authorization of new access, periodic recertification of access, and\n    revocation of access from separated or transferred Federal employees and contractors, were not\n    consistently or timely documented or implemented in accordance with DHS and CBP policy.\n\nx   Logs of visitor access to the server room within the National Data Center were not consistently\n    maintained.\n\nx   DHS and CBP requirements for the assignment of unique application account identifiers were not\n    consistently implemented.\n\nConfiguration Management\n\nx\t Security patch management and configuration deficiencies were identified during the vulnerability\n   assessment on hosts supporting the SAP environment.\n\nx\t Access to CBP application test and development environments was not consistently or timely\n   documented or authorized in accordance with DHS and CBP policy.\n\nContingency Planning\n\nx\t Backup parameters were not configured in accordance with CBP requirements.\n\nRecommendations\n\nWe recommend that the CBP Office of the Chief Information Officer (OCIO) and Office of the Chief\nFinancial Officer (OCFO) make the following improvements to CBP\xe2\x80\x99s financial management systems\nand associated IT security program (in accordance with CBP and DHS requirements, as applicable).\n\nSecurity Management\n\nx\t Continue to maintain and enforce existing security awareness campaigns, enhance focus on\n   conducting periodic desktop reviews, and consider adding penalties for users with multiple recurring\n   documented violations of security awareness policies and physical security requirements.\n\nAccess Controls\n\nx\t Evaluate and enforce the configuration management Administrator access audit log process to ensure\n   that configuration management Administrator access audit logs are being reviewed on a monthly\n   basis, documented and audit log review evidence is maintained.\n\n\n                                                  6\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n\n                                    Customs and Border Protection\n\n                                         September 30, 2013\n\n\nx\t Implement technical controls, including a password value check, to ensure that passwords for CBP\n   operating system and database accounts are configured in accordance with DHS and CBP\n   requirements for complexity and lifetime.\n\nx\t Perform and document a risk assessment to identify relevant security events on the SAP and ACS\n   environments which should be subject to requirements for logging and periodic review.\n\nx\t Conduct a cost-benefit analysis to determine the feasibility of implementing a tool or enhanced\n   system functionality to automate the aggregation and review of system logs.\n\nx\t Implement monitoring controls over the audit log review process in the SAP and ACS environments\n   to ensure that audit logs, including logs of emergency developer access to the production\n   environment, are being reviewed by management on a periodic basis, are documented, and audit log\n   review evidence is maintained .\n\nx\t Implement monitoring controls over the account management process within the ACS production\n   environment, including relative to developer emergency access to production, to ensure that access\n   granted is limited to necessary application functions commensurate with job responsibilities.\n\nx\t Perform a root cause analysis to determine the source of instances of non-compliance with the annual\n   account recertification process and, if appropriate, develop an enterprise-level solution to implement\n   monitoring controls to ensure that all accounts are recertified annually.\n\nx\t Implement monitoring controls over the account management process, including escalation to\n   management for follow-up and enforcement as appropriate, to ensure that all users are granted access\n   to CBP systems.\n\nx\t Perform a root cause analysis to determine the source of instances of non-compliance with separation\n   and transfer clearance and account revocation processes for Federal employees and contractors and\n   implement monitoring controls to ensure that all access to CBP systems is revoked in a timely\n   manner.\n\nx\t Review and, if appropriate, update, disseminate and implement monitoring controls to enforce revised\n   CBP directives to ensure that the process for tracking contractor employees is consistent.\n\nx\t Review and, if appropriate, update, disseminate, and implement monitoring controls to enforce the\n   physical security and visitor access management policies and procedures to ensure that visitor access\n   to the server room is consistently logged.\n\nx\t Implement monitoring controls over the account provisioning process to ensure that all users are\n   assigned unique application account identifiers.\n\n\n\n\n                                                   7\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter\n\n                                    Customs and Border Protection\n\n                                         September 30, 2013\n\n\nConfiguration Management\n\nx   Implement the specific vendor-recommended corrective actions detailed in the NFRs that were issued\n    for deficiencies identified during the vulnerability assessment.\n\nx   Document and implement a formal access management policy for granting access to CBP application\n    test and environments to ensure that access is consistently and timely documented and authorized.\n\nContingency Planning\n\nx\t Implement monitoring controls over backup processes and system configurations to ensure that\n   backups continue to be performed daily.\n\n                                   IT APPLICATION CONTROLS\n\nDuring the FY 2013 CBP financial statement audit, we identified the following IT application control and\nfinancial system functionality deficiency that, when aggregated with the GITC deficiencies, is considered\na significant deficiency at CBP:\n\nFinding\n\nx\t ACS lacks the controls necessary to prevent, or detect and correct excessive drawback claims.\n   Specifically, the programming logic for the system does not link drawback claims to imports at a\n   detailed, line item level. This would potentially allow the importer to receive payment in excess of an\n   allowable amount.\n\nRecommendation\n\nx\t We recommend that the CBP OCIO and OCFO continue to pursue alternative compensating or\n   automated controls and measures that may ultimately remediate the risk of overpayment and identify\n   the potential revenue loss exposure to CBP. These alternative internal controls over drawback claims\n   may enhance CBP\xe2\x80\x99s ability to compare, verify, and track essential information on drawback claims\n   and identify duplicate or excessive drawback claims.\n\n\n\n\n                                                    8\n\n\x0c                      Department of Homeland Security\n                 Information Technology Management Letter\n\n                       Customs and Border Protection\n\n                            September 30, 2013\n\n\n\n\n                            Appendix A\n\nDescription of Key CBP Financial Systems and IT Infrastructure\n\nwithin the Scope of the FY 2013 CBP Financial Statement Audit\n\n\n\n\n\n                                    9\n\n\x0c                                                                                             Appendix A\n\n                                   Department of Homeland Security\n                              Information Technology Management Letter\n                                    Customs and Border Protection\n                                         September 30, 2013\n\n\nBelow is a description of significant CBP financial management systems and supporting IT infrastructure\nincluded in the scope of the CBP FY 2013 financial statement audit.\n\nSystems, Applications, and Products (SAP) Enterprise Central Component (ECC)\n\nSAP is CBP\xe2\x80\x99s financial system of record. SAP is a major integrated client/server-based financial\nmanagement system implemented by CBP to manage assets (e.g., budget, logistics, procurement, and\nrelated policy) and revenue (e.g., accounting and commercial operations: trade, tariff, and law\nenforcement), and to provide information for strategic decision making. The SAP instance includes several\nmodules (including ECC 6.0, Intelligent Procurement, and Budget Tools) that provide system functionality\nfor Funds Management, Budget Control, General Ledger, Real Estate, Property, Internal Orders, Sales and\nDistribution, Special Purpose Ledger, and Accounts Payable functionality, among others. The SAP ECC\nfinancial management system was included within the scope of the FY 2013 financial statement audit. The\nBorder Enforcement and Management Systems (BEMS) Program Office and the Enterprise Data\nManagement and Engineering (EDME) Program Office own the SAP application, UNIX and Windows\noperating systems and Oracle database located in Virginia (VA).\n\nAutomated Commercial Environment (ACE)\n\nACE is the commercial trade processing system being developed and implemented by CBP to replace the\nAutomated Commercial System (ACS). The mission of ACE is to implement a secure, integrated,\ngovernment-wide system for the electronic collection, use, and dissemination of international trade and\ntransportation data essential to Federal agencies. ACE is a custom-developed, internet-facing, multi-tier\nsystem with high availability characteristics, and it processes sensitive data. ACE is being deployed in\nphases over several years. As a result, some financial modules will remain in the ACS operating\nenvironment until they can be developed and deployed in ACE. Since ACE was partially implemented\nduring FY 2013, it was included within the scope of the FY 2013 financial statement audit. The Cargo\nSystems Program Office (CSPO), the Enterprise Networks and Technology Support (ENTS) Program\nOffice and the EDME Program Office own the ACE application, AIX operating system and DB2 database\nlocated in VA.\n\nAutomated Commercial System (ACS)\n\nACS is a collection of seven mainframe-based sub-systems used by the CBP to track, control, and process\ncommercial goods and conveyances entering the United States territory, for the purpose of collecting\nimport duties, fees, and taxes owed to the Federal Government. ACS collects duties at ports, collaborates\nwith financial institutions to process duty and tax payments, and provides automated duty filing for trade\nclients, and shares information with the Federal Trade Commission on trade violations, illegal imports\nand terrorist activities. The ACS system was included within the scope of the FY 2013 financial statement\naudit. The CSPO and the ENTS Program Office own the ACS application and mainframe located in VA.\n\nDistrict of Columbia Metropolitan Local Area Network (DC Metro LAN)\n\nThe DC Metro LAN provides CBP\xe2\x80\x99s DC area employees and contractors user access to enterprise-wide\napplications and systems. The mission of the DC Metro LAN is to support the mission of CBP\n\n                                                   10\n\n\x0c                                                                                          Appendix A\n\n                                  Department of Homeland Security\n                             Information Technology Management Letter\n                                   Customs and Border Protection\n                                        September 30, 2013\n\n\noperational elements in the DC Metro LAN region of the organization. The boundary of the DC Metro\nLAN includes tools such as personal computers, laptop computers, printers and file/print servers which\nenable CBP officers and agents to interact with all other applications and systems in the CBP\nenvironment. The DC Metro LAN supports ACE, ACS, and SAP and provides authentication\nmechanisms that are used by SAP for single sign on capability; as a result, the DC Metro LAN was\nincluded within the scope of the FY 2013 financial statement audit. The Field Support Program Office\nand the EDME Program Office own the DC Metro LAN located in VA.\n\n\n\n\n                                                 11\n\n\x0c                    Department of Homeland Security\n               Information Technology Management Letter\n\n                     Customs and Border Protection\n\n                          September 30, 2013\n\n\n\n\n                          Appendix B\n\nFY 2013 IT Notices of Findings and Recommendations at CBP\n\n\n\n\n\n                                  12\n\n\x0c                                                                                                                                                       Appendix B\n\n                                                                Department of Homeland Security\n                                                           Information Technology Management Letter\n\n                                                                 Customs and Border Protection\n\n                                                                      September 30, 2013\n\n\n    FY 2013 NFR # 1                                   NFR Title                                     FISCAM Control Area           New       Repeat        More\n                                                                                                                                                                   2\n                                                                                                                                  Issue      Issue     Significant\n     CBP-IT-13-01       Inappropriately Configured Password Parameters for SAP UNIX                     Access Controls             X\n                        Operating System (OS)\n     CBP-IT-13-02       Audit Activity Logs Not Reviewed for SAP Oracle Database (DB)                   Access Controls                        X            X\n     CBP-IT-13-03       Lack of Review of SAP Windows OS Accounts                                       Access Controls                        X            X\n     CBP-IT-13-04       Incomplete SAP UNIX OS Backups                                               Contingency Planning           X\n     CBP-IT-13-05       Lack of Evidence of Review of SAP UNIX OS Audit Logs                            Access Controls             X                       X\n     CBP-IT-13-06       Lack of Review of ACS Application Audit Logs                                    Access Controls                        X            X\n     CBP-IT-13-07       Security Awareness Issues Identified during After-Hours Physical             Security Management                       X\n                        Security Testing at CBP\n     CBP-IT-13-08       Lack of Review of Developer Access to the ACS Production                        Access Controls                        X            X\n                        Application Data\n     CBP-IT-13-09       Inappropriately Configured ACE AIX OS Password Parameters                       Access Controls             X\n     CBP-IT-13-10       Inappropriately Configured ACE DB2 Database Password Parameters                 Access Controls             X\n     CBP-IT-13-11       Lack of Functionality in the ACS                                           Business Process Controls                   X            X\n     CBP-IT-13-12       Lack of Review of ACE DB2 Database Accounts                                     Access Controls             X                       X\n     CBP-IT-13-13       Lack of Annual Recertification of Mainframe Privileged Users                    Access Controls                        X\n     CBP-IT-13-14       Incomplete Raised Floor Visitors Logs                                           Access Controls             X\n\n\n\n\n1\n    NFR numbers CBP-IT-13-15, CBP-IT-13-21, CBP-IT-13-26, CBP-IT-13-27 and CBP-IT-13-32 were intentionally omitted from sequence.\n2\n    NFRs designated as \xe2\x80\x9cMore Significant\xe2\x80\x9d represent control deficiencies that we determined to pose an increased risk to the integrity of CBP financial data.\n\n                                                                                  13\n\n\x0c                                                                                                                            Appendix B\n\n                                                     Department of Homeland Security\n                                                Information Technology Management Letter\n\n                                                      Customs and Border Protection\n\n                                                           September 30, 2013\n\n\nFY 2013 NFR #                               NFR Title                            FISCAM Control Area       New     Repeat      More\n                                                                                                           Issue    Issue   Significant\nCBP-IT-13-16    Weaknesses in Creating New DC Metro LAN Accounts                     Access Controls                 X\nCBP-IT-13-17    Separated Personnel on SAP Application User Listing                  Access Controls                 X          X\nCBP-IT-13-18    Weaknesses in Creating New ACE Accounts                              Access Controls                 X          X\nCBP-IT-13-19    Weaknesses in Creating New ACS Accounts                              Access Controls                 X          X\nCBP-IT-13-20    SAP Configuration Baseline Weaknesses                           Configuration Management    X                   X\nCBP-IT-13-22    Separated Personnel on Mainframe User Listing                        Access Controls                 X          X\nCBP-IT-13-23    Weaknesses in Documenting New ACE User Accounts in the          Configuration Management    X\n                Development and Testing Environments\nCBP-IT-13-24    ACS Segregation of Duties Weaknesses over the Production             Access Controls                 X          X\n                Environment\nCBP-IT-13-25    Lack of Unique Account Identifiers for ACS                           Access Controls        X\nCBP-IT-13-28    ACS Application Recertification Weaknesses                           Access Controls        X                   X\nCBP-IT-13-29    Audit Activity Logs Not Generated or Reviewed for SAP Windows        Access Controls        X                   X\n                OS\nCBP-IT-13-30    Separated Personnel on DC Metro LAN User Listing                     Access Controls                 X\nCBP-IT-13-31    Separated Personnel on ACE Application User Listing                  Access Controls                 X          X\nCBP-IT-13-33    Contractor Separation Process Weaknesses                          Security Management                X\nCBP-IT-13-34    Weaknesses over the Employee Separation Process                   Security Management                X\n\n\n\n\n                                                                      14\n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n   \x03\n   Appendix\x03A\x03\x03\n   Report\x03Distribution\x03\n                          \x03\n   Department\x03of\x03Homeland\x03Security\x03\x03\x03\x03\x03\x03\n   \x03\n   Secretary\x03\n   Deputy\x03Secretary\x03\n   Chief\x03of\x03Staff\x03\n   Deputy\x03Chief\x03of\x03Staff\x03\n   General\x03Counsel\x03\n   Executive\x03Secretary\x03\x03\n   Director,\x03GAO/OIG\x03Liaison\x03Office\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Policy\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Public\x03Affairs\x03\n   Assistant\x03Secretary\x03for\x03Office\x03of\x03Legislative\x03Affairs\x03\n   Under\x03Secretary\x03for\x03Management\x03\n   Chief\x03Financial\x03Officer\x03\n   Chief\x03Information\x03Officer\x03\n   Chief\x03Information\x03Security\x03Officer\x03\n   Chief\x03Privacy\x03Officer\x03\n   \x03\n   Office\x03of\x03Management\x03and\x03Budget\x03\x03\x03\x03\n   \x03\n   Chief,\x03Homeland\x03Security\x03Branch\x03\x03\x03\n   DHS\x03OIG\x03Budget\x03Examiner\x03\n   \x03\n   Congress\x03\x03\x03\x03\n   \x03\n   Congressional\x03Oversight\x03and\x03Appropriations\x03Committees,\x03as\x03appropriate\x03\n\n\n\n\nwww.oig.dhs.gov                                                             OIG-14-96\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'